Researchers Discover Malware That Records the Screen of French Internet Users Watching Porn

Security researchers discovered a new form of malware that specifically targeted users of a French telecom giant. One of the more disturbing features of this malware is its capability to identify when someone was likely viewing porn and record their screen.

Researchers at IT security company ESET spotted the malware, which they coined Varenyky, in May of this year, and in July, operators of the malware launched their first sextortion scam. The malware targets customers of Orange S.A., a French internet service provider, and filters out non-French users based on the location of someone’s computer.

According to the researchers, the malware is sent in the form of an email with a fake Microsoft Word attachment under the guise of a €491.27 bill. The document is actually malware, and opening it infects the user’s computer. The researchers pointed out that the hackers routinely tweaked and added commands to the malware, and that a recent version deployed a hidden desktop on someone’s computer that was able to navigate menus, read text, take screenshots, click on the screen, adjust windows, and even record the screen’s activity.

One feature the researchers spotted in one version of the malware was that it would search for porn-related words in French in a user’s window and subsequently record the screen and upload it the command and control server, which is a computer that can send instructions to a device infected with malware.

The researchers noted, though, that while the malware is capable of recording someone’s screen while they watch porn, they didn’t find any evidence indicating that the hackers exploited these recordings beyond collecting them. That being said, in July, the hackers did deploy a sextortion scam—in which someone was blackmailed through sexual material.

The sextortion scam is also sent in the form of an email and informs the recipient that a virus-infected their computer when they were watching porn, and that the hackers have gained access to their computer. The scammer also claims that they have a video of both the porn the victim was watching as well as a recording from their webcam of “you having… fun.”

The scammer says that if they don’t pay them €750 in bitcoin within 72 hours, they’ll send the video to family, coworkers, and post it on social media. “This offer is non-negotiable, do not waste my time and yours, think about the consequences of your actions,” it states in the email sign-off. The researchers said that one bot can send up to 1,500 emails in an hour, and as of 8 August, the bitcoin address included in the sextortion email had received four payments.

Sextortion campaigns and phishing attacks that can give a hacker access to your desktop are hardly unique forms of online exploitation, but this newly spotted malware indicates that they aren’t going anywhere and that people are still easily duped by inarguably unsettling threats.

The researchers also note that the operators of this malware tweaked it a lot over the course of two months, indicating that they “are inclined to experiment with new features that could bring a better monetisation of their work.” In this case, the best way to scare French internet users into paying a gross grifter in return for peace of mind.